Skip to content

Apache + Modsecurity + Mlogc make crash in logging phase #1567

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
itbuiductai opened this issue Sep 19, 2017 · 5 comments
Closed

Apache + Modsecurity + Mlogc make crash in logging phase #1567

itbuiductai opened this issue Sep 19, 2017 · 5 comments
Assignees
@zimmerle @victorhora

Comments

@itbuiductai
Copy link

Hi @zimmerle @victorhora
Recently, we try using mlogc to send audit message log to SEIM system. mlogc is configured with default options.
MaxConnections 10
MaxWorkerRequests 1000

But when this configuration run some days, it had a mistake. In one minute, idleworker of apache increased fast and came peak MaxRequestWorkers. apache couldn't handle new requests. RAM, CPU system were normal.
We monitored apache information and saw that all ESTABLISHED request is in LOGGING phase.
All child processes apached used. Old request couldn't closed connection
logging
@itbuiductai
Copy link
Author

Version: ModSecurity Log Collector (mlogc) v2.9.1

@victorhora victorhora self-assigned this Sep 19, 2017
@victorhora
Copy link
Contributor

Hi @itbuiductai

Can you reproduce the same environment and check if you have the same results with ModSecurity 2.9.2? There's a number of fixes and improvements on 2.9.2 and highly suggest running it.

https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.2

@itbuiductai
Copy link
Author

Dear @victorhora
I upgraded my mod_sec version to 2.9.2 but this error still appear.
I hope you can spend time to view the problem.
Moreover, I find a issue that may be same my problem: #576
I try to do some solutions in this article but all of them are not effect.
"- Check where your data files are stored (SecDataDir) and see if this might be slow due to an overfull directory? Maybe cleaning up the tmp directory helps already.

  • Try setting SecDataDir to its own dedicated directory.
  • Try setting SecDataDir to a tmpfs or memory filesystem."

I also check IO/cpu in my system. But it is normal: 0% wa.
Please tell me How I can find core root of problem.

Thanks ./.

@itbuiductai
Copy link
Author

Maybe this error came from mlogc. I try to "killall -9 mlogc" and apache service is resuming!!!

@zimmerle
Copy link
Contributor

Hi @itbuiductai,

The issue that you mentioned earlier (#576) is not related to this mlogc problem that you are facing. #576 is about a problem on the collections which are not directly related to logging.

Indeed, it could be a consequence of a crash in mlogc. Is that a possible for you to deploy the mlogc out of Apache process? Having it detached from Apache is way easier to debug this kind of scenario. And it may be the final solution that you are looking for.

@zimmerle zimmerle self-assigned this Sep 28, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zimmerle zimmerle

@victorhora victorhora

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@zimmerle @itbuiductai @victorhora